diff --git a/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch b/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch new file mode 100644 index 0000000..c38fef0 --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch @@ -0,0 +1,28 @@ +commit 5824364d995e5d2418f885ee57e377e11d1b3302 +Author: Ingo Franzki +Date: Wed Jul 7 13:44:46 2021 +0200 + + pkcstok_migrate: Quote strings with spaces in opencryptoki.conf + + When modifying opencryptoki.conf during token migration, put quotes + around strings that contain spaces, e.g. for the slot description and + manufacturer. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index 94fd1196..3df1596e 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val) + { + struct parseupdate *u = (struct parseupdate *)private; + +- if (tok != KW_TOKVERSION) ++ if (tok != KW_HWVERSION && tok != KW_FWVERSION && ++ strchr(val, ' ') != NULL) ++ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val); ++ else if (tok != KW_TOKVERSION) + fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val); + return 0; + } diff --git a/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch b/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch new file mode 100644 index 0000000..8f1477c --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch @@ -0,0 +1,104 @@ +commit d2f137cce5e6efb123842509352c7c49f889c67f +Author: Ingo Franzki +Date: Thu Jul 22 15:55:02 2021 +0200 + + pkcstok_migrate: Rework string quoting for opencryptoki.conf migration + + Due to the way the parser works, a slot description like + 'description = "slot"' works, but not without quotes ('description = slot'). + The word 'slot' is treated as a keyword if not quoted (besides other keywords, + too), so if the word 'slot' would appear in an unquoted string, the + configuration file would fail to parse. + + Always quote the value of 'description' and 'manufacturer'. Quote the + value of 'stdll', 'confname', and 'tokname' if it contains spaces, and + never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index a29dc8f7..853986e8 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2060,7 +2060,7 @@ done: + */ + static int parseupdate_ockversion(void *private, const char *version) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + fprintf(u->f, "version %s", version); + return 0; +@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private) + + static void parseupdate_eol(void *private) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + fputc('\n', u->f); + } + + static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + u->activeslot = (slot == u->slotnum); + if (nl_before_begin) +@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin) + + static int parseupdate_end_slot(void *private) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + if (u->activeslot) + fprintf(u->f, " tokversion = 3.12\n"); +@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private) + + static int parseupdate_key_str(void *private, int tok, const char *val) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + +- if (tok != KW_HWVERSION && tok != KW_FWVERSION && +- strchr(val, ' ') != NULL) ++ switch (tok) { ++ case KW_SLOTDESC: ++ case KW_MANUFID: + fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val); +- else if (tok != KW_TOKVERSION) ++ break; ++ case KW_STDLL: ++ case KW_CONFNAME: ++ case KW_TOKNAME: ++ if (strchr(val, ' ') != NULL) ++ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val); ++ else ++ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val); ++ break; ++ case KW_HWVERSION: ++ case KW_FWVERSION: + fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val); ++ break; ++ } + return 0; + } + + static int parseupdate_key_vers(void *private, int tok, unsigned int vers) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + if (tok == KW_TOKVERSION && !u->activeslot) + fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok), +@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers) + + static void parseupdate_eolcomment(void *private, const char *comment) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + fprintf(u->f, "#%s", comment); + } diff --git a/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch b/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch new file mode 100644 index 0000000..a3bf6ea --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch @@ -0,0 +1,25 @@ +commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593 +Author: Ingo Franzki +Date: Thu Jul 8 15:18:30 2021 +0200 + + pkcstok_migrate: Don't remove 'tokversion = x.y' during migration + + When migrating a slot the opencryptoki.conf file is modified. If it + contains slots that already contain the 'tokversion = x.y' keyword, + this is accidentally removed when migrating another slot. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index 3df1596e..05081aff 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers) + { + struct parseupdate *u = (struct parseupdate *)private; + +- if (tok != KW_TOKVERSION) ++ if (tok == KW_TOKVERSION && !u->activeslot) + fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok), + vers >> 16, vers & 0xffu); + return 0; diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 24c5310..e36a23c 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Version: 3.16.0 -Release: 4%{?dist} +Release: 5%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki @@ -27,6 +27,9 @@ Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch +Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch +Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch +Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch Requires(pre): coreutils Requires: (selinux-policy >= 3.14.3-70 if selinux-policy-targeted) @@ -357,6 +360,9 @@ fi %changelog +* Thu Aug 19 2021 Than Ngo - 3.16.0-5 +- Resolves: #1987256, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes + * Fri Jul 16 2021 Than Ngo - 3.16.0-4 - Resolves: #1964304, Fix detection if pkcsslotd is still running